https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/373895#M428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163514">@BillStrahan</a>,&nbsp;</P><P>&nbsp;</P><P>Were you able to successfully add the GoToMeeting executable to the allow list using any previous suggestions?</P> Fri, 11 Dec 2020 17:19:40 GMT gjenkins 2020-12-11T17:19:40Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/365349#M392 <P>Does anyone know how to whitelist the GoToMeeting download?</P><P>&nbsp;</P><P>It is an EXE but the client agent blocks it.&nbsp; When I attempt to whitelist it, EVERY SINGLE download is a different hash value making it impossible to whitelist.</P><P>&nbsp;</P><P>Thanks for any suggestions.</P> Tue, 24 Nov 2020 20:21:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/365349#M392 BillStrahan 2020-11-24T20:21:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/365380#M393 <P>Can you please post the alert details?</P><P>You can actually make an exception based on the filename, signer or various other methods etc.. under the Invetigation tab &gt; Exclusions.</P> Tue, 24 Nov 2020 21:25:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/365380#M393 KanwarSingh01 2020-11-24T21:25:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/367361#M413 <P>Hi BillStrahan,</P><P>&nbsp;</P><P>It would be beneficial to post the "alert source" and "alert name" values observed when executing the GoToMeeting file. Adding to the allow list, <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-response/investigate-files/manage-file-execution.html" target="_self">as instructed here</A>, would only work if the "Alert Source = 'XDR Agent'" and the "Alert Name contained 'malware.'"&nbsp; Other alert sources and names have different instructions for creating exceptions to permit a file to run. For example, an alert with "Alert Source = 'XDR Agent'"&nbsp;and the "Alert Name = 'Behavioral Threat,'" would need a BTP exception rather than a whitelist to permit execution.</P><P>&nbsp;</P><P>More information about the different ways to make exceptions can be found here: <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-exceptions-profile.html" target="_self">Add a New Exceptions Security Profile</A>.</P><P>&nbsp;</P><P>Please let us know your findings.</P><P>&nbsp;</P><P>PS. Given that the hash changes frequently, there are two other ways to permit the GoToMeeting file to run if it is being categorized as malware, and that is by adding the signer to the Allow List Signers ('Malware Security Profile' &gt; 'Allow List Signers,') or to a Files/Folders allow list ( 'Malware Security Profile' &gt; 'Files/Folders in Allow List.')</P> Fri, 04 Dec 2020 18:26:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/367361#M413 gjenkins 2020-12-04T18:26:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/367544#M418 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163514">@BillStrahan</a>&nbsp;-</P><P>&nbsp;</P><P>For this very "installer," the Trusted Publisher feature was introduced over 4 years ago.&nbsp; The Trusted Publisher feature should allow the installer to run.&nbsp; I recommend contacting Support if you are seeing blocks tied to the GTM installer.&nbsp;&nbsp;</P> Sun, 06 Dec 2020 18:47:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/367544#M418 dfalcon 2020-12-06T18:47:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/367850#M419 <P>Our prior AV solution began having fits with Goto products about a year ago.&nbsp; As paying customers we begged the LogMeIn vendor to stop changing the hash of the file each time it was downloaded to no avail.&nbsp; We were forced to place the vendors certificate on the allow list since this crippled the organization.&nbsp; We have not run into any issues with the Goto products with Cortex XDR Prevent 7.1.3 on Windows (don't do Mac/Linux).</P> Tue, 08 Dec 2020 16:54:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/367850#M419 EddieRowe 2020-12-08T16:54:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/373895#M428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163514">@BillStrahan</a>,&nbsp;</P><P>&nbsp;</P><P>Were you able to successfully add the GoToMeeting executable to the allow list using any previous suggestions?</P> Fri, 11 Dec 2020 17:19:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/gotomeeting-whitelist/m-p/373895#M428 gjenkins 2020-12-11T17:19:40Z